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Abstract 

The  logic  BAN  was  developed  in  the  late  eighties  to  reason  about  authenticated 
key  establishment  protocols.  It  uncovered  many  flaws  and  properties  of  protocols, 
thus  generating  lots  of  attention  in  protocol  analysis.  BAN  itself  was  also  subject 
of  much  attention,  and  work  was  done  examining  its  properties  and  limitations, 
developing  extensions  and  alternatives,  and  giving  it  a  semantics. 

More  recently,  the  strand  space  approach  was  developed.  This  approach  gave  a 
graph  theoretic  characterization  of  the  causally  possible  interactions  between  local 
histories  (strands)  along  with  a  term  algebra  to  express  sent  and  received  messages. 
This  model  was  designed  and  has  been  used  by  its  authors  for  direct  application 
to  authentication  protocol  analysis.  However,  it  has  also  quickly  attracted  the 
attention  of  many  other  researchers  in  the  field  as  useful  in  connection  to  related 
work,  such  as  model  checking  approaches. 

Here  we  discuss  the  idea  of  using  strand  spaces  as  the  model  of  computation 
underlying  a  semantics  for  BAN-style  expressions.  This  will  help  to  integrate  some 
of  the  approaches  to  security  protocol  analysis  and  to  hopefully  provide  BAN  logics 
with  a  clearer,  more  useful  underlying  model  than  they  have  had  to  date. 


1  Early  Approaches  to  Knowledge 

Automated  approaches  using  model  checkers,  theorem  provers  and  the  like 
have  increasingly  been  at  the  heart  of  formal  analysis  of  security  protocols  for 
the  last  several  years.  However,  for  much  of  the  nineties  the  most  well  known 
and  successful  approach  to  this  problem  was  by  hand  analysis  using  specialized 
logics.  A  belief  logic,  BAN  [2],  was  widely  used  to  reveal  a  number  of  flaws  and 
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hidden  assumptions  in  protocols.  It  also  gave  rise  to  a  number  of  extensions, 
variations  and  related  alternatives,  which  also  had  many  successes.  We  will 
return  to  BAN  below,  but  we  first  begin  at  the  beginning.  Hand  logics  them¬ 
selves  began  to  be  published  at  about  the  same  time  as  other  formal  methods 
of  protocol  analysis,  in  the  late  eighties.  But,  the  first  epistemic  treatment 
of  protocols  may  be  found  about  five  years  earlier  in  the  work  of  Merritt  and 
various  coauthors  [10,4,11],  (As  implied  “hand  logics”  were  originally  devised 
for  hand  analysis;  however,  most  of  them  have  been  automated  in  one  form  or 
another,  often  with  great  success.)  Merritt’s  approach  was  basically  algebraic 
rather  than  logical.  However,  this  algebraic  approach  was  used  to  characterize 
the  state  of  knowledge  of  various  protocol  participants.  We  will  see  that  this 
approach  can  be  closely  related  to  the  semantics  of  an  epistemic  logic. 


1.1  Algebraic  Knowledge  Semantics 

The  semantics  used  to  underly  much  of  epistemic  logic  is  based  on  a  model 
theoretic  treatment  of  possible  worlds.  The  idea  of  possible  worlds  is  that  there 
are  different  ways  the  world  might  be  (or  epistemically,  might  be  conceived 
to  be).  For  each  principal  we  can  partition  up  all  the  possible  worlds  into 
those  that  are  indistinguishable  to  him.  Since  this  is  a  partition,  it  yields 
an  indistinguisliability  relation  that  is  an  equivalence.  For  example,  if  Bob 
does  not  know  whether  Alice  is  in  her  office,  then  worlds  in  which  Alice  is 
in  her  office  and  worlds  where  she  is  not  in  her  office  are  indistinguishable 
to  him  (excluding  other  distinguishing  information).  Thus,  possible  worlds 
can  be  used  to  underly  a  logic  of  knowledge.  This  has  been  studied  as  far 
back  as  [8].  The  characterization  of  knowledge  by  equivalence  relations  is 
in  fact  just  one  of  the  types  of  knowledge  set  out  in  [8]  and  later.  Other 
relations  are  possible;  thus  indistinguisliability  is  sometimes  more  generally 
called  ‘accessibility’ — e.g.,  the  relation  might  not  be  symmetric.  What  has  all 
this  to  do  with  cryptographic  protocols? 

Suppose  Alice  and  Bob  are  executing  a  coin-flip  protocol.  Alice  sends  to 
Bob  two  messages  in  random  order,  one  is  the  encryption  of  a  bit  representing  a 
heads  and  the  other  that  of  a  bit  representing  a  tails.  They  are  both  encrypted 
with  the  same  key,  which  is  known  only  to  Alice.  In  the  common  notation 
we  have,  {Heads} K  and  {Tails} K  where  Bob  does  not  know  K .  Bob  does 
not  know  whether  the  first  or  second  message  is  the  encryption  of  Heads. 
(Actually,  he  does  not  know  that  either  is  the  encryption  of  Heads  at  all.  But, 
we  ignore  this  for  the  moment.)  So,  there  are  (at  least)  two  possible  worlds 
indistinguishable  by  Bob:  one  where  he  has  been  sent  the  encryption  of  Heads 
followed  by  the  encryption  of  Tails ,  and  the  other  where  that  order  is  reversed. 

Merritt  examined  such  protocols  using  free  algebras  of  messages  with  en¬ 
cryption  and  decryption  operators.  Such  a  free  algebra  represents  the  basic 
structure  of  the  cryptosystem.  The  specific  encryption  and  decryption  algo¬ 
rithms  used  and  the  domain  of  messages  is  called  the  crypto-algebra.  If  we 
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assume  that  there  are  no  flaws  in  the  crypto  algorithms  themselves,  we  can 
basically  assume  that  the  free  algebra  and  the  crypto-algebra  are  isomorphic. 
In  the  coin-flip  example,  Bob  does  not  know  about  all  the  messages.  Thus, 
there  are  different  homomorphic  mappings  from  the  free  algebra  to  the  cryp¬ 
toalgebra  that  are  indistinguishable  by  Bob.  These  mappings  are  effectively 
the  indistinguishable  possible  worlds  for  Bob  in  this  state. 

This  algebraic  approach  was  extended  by  Toussaint  [23]  to  examine  evolv¬ 
ing  knowledge  in  protocol  executions.  The  connection  between  such  algebraic 
approaches  and  epistemic  logic  was  made  explicit  by  Bieber  [3]  when  he  used 
the  constructs  of  [11]  to  underly  the  semantics  of  his  logic  CKT5.  There  have 
been  other  algebraic  approaches  to  authentication  protocol  representation  and 
analysis,  for  example,  using  process  algebras  such  as  CSP  and  the  spi  calculus. 
We  will  not  discuss  these  in  this  paper. 

2  The  BAN  Family 

We  now  turn  to  a  particular  family  of  logics,  stemming  from  the  BAN  logic 
of  Burrows,  Abadi,  and  Needham.  BAN  was  created  for  examining  authen¬ 
ticated  key  distribution  protocols.  These  are  typically  protocols  that  allow 
two  parties  to  establish  a  key  for  a  secure  communication  session.  Since  the 
parties  do  not  usually  have  a  pre-existing  shared  secret,  these  protocols  rely 
on  a  trusted  server  (either  online  or  offline)  to  facilitate  the  distribution  and 
often  to  generate  the  session  key.  Typical  goals  of  such  protocols  are  thus 
that  the  parties  share  the  key,  that  no-one  else  does,  and  that  they  know  with 
whom  they  are  sharing  the  key. 

The  contribution  of  BAN  was  to  set  out  a  logic  in  simple  terms  (notably 
belief,  jurisdiction,  freshness,  and  the  goodness  of  a  key  for  two  named  prin¬ 
cipals)  that  revealed  hidden  assumptions  and  flaws  in  protocols  through  quite 
simple  hand  analysis.  Another  contribution  that  BAN  made  was  to  reason 
about  time,  but  only  in  the  roughest  terms.  Specifically,  they  distinguished 
only  between  messages  that  were  fresh,  i.e.,  sent  during  the  current  epoch,  and 
those  that  were  not.  This  also  proved  to  be  a  very  useful  balance  of  simplicity 
and  expressiveness. 

Here  is  an  example  of  a  BAN  “message-meaning”  rule. 

P^Q,  P<{X}K 

P¥Q\-  x 

This  basically  says  that  if  P  believes  K  is  a  good  key  for  P  to  talk  with 
Q  and  P  receives  X  encrypted  with  A',  then  P  believes  that  0  once  said  A". 
The  rule  assumes  that  P  can  recognize  messages  he  produced  himself. 

Rather  than  set  out  all  the  rules  of  BAN,  we  will  go  through  the  concepts 
that  were  introduced  in  BAN  and  sometimes  modified  by  others.  We  will  also 
generally  use  the  notation  of  AT  [1]  and  SVO  [17],  which  is  closer  to  ordinary 
English. 
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Freshness 

A  message  is  fresh  if  it  has  not  been  part  of  a  message  sent  prior  to  the  current 
epoch.  It  is  sufficient  but  not  necessary  for  freshness  that  a  message  be  unseen 
prior  to  the  current  epoch.  A  principal  might  generate  a  message  earlier  and 
not  send  it  until  the  epoch  begins. 

Freshness  is  central  to  the  notion  of  authentication.  Just  because  someone 
once  said  that  a  key  was  good,  does  not  mean  that  they  would  sav  so  now.  If 
a  message  is  bound,  e.g.,  cryptographically,  to  a  fresh  message,  then  it  must 
itself  be  fresh.  Freshness  is  typically  insured  by  means  of  nonces  (random 
numbers  generated  to  be  recognized  later  by  those  who  generate  them)  or 
timestamps  from  a  trusted  source. 

One  limitation  of  BAN  is  that  the  only  way  to  promote  to  the  present 
epoch  from  P  said  M  (given  that  fresh(M))  is  to  say  that  P  believes  M.  BAN 
has  no  expression  P  says  M.  Amongst  other  things,  this  either  (1)  limits  the 
promotion  of  once-said  to  recently-said  (believed)  messages  to  formulae  rather 
than  messages  in  general,  or  (2)  gives  rise  to  a  somewhat  counterintuitive 
notion  of  belief.  (Briefly,  a  formula  is  essentially  a  message  that  expresses  a 
proposition.  We  assume  a  language  in  which  all  formulae  are  messages,  but 
not  necessarily  vice  versa.)  The  says  notation  was  introduced  in  [1], 

Saying  and  Receiving 

As  the  message  meaning  rule  illustrates,  one  says  not  only  the  messages  one 
sends,  but  also  certain  messages  implicit  in  what  one  sends.  Similarly  for  re¬ 
ceiving,  e.g.,  one  receives  the  concatenates  of  a  concatenated  message.  BAN 
generally  does  not  express  those  messages  simply  possessed  by  a  principal, 
as  opposed  to  sent  and  received.  For  example,  in  contrast  to  the  message 
meaning  rule,  assuming  that  P  received  { X  }  K ,  if  P  sees  K  (whether  or  not 

P  believes  P  A-  Q),  then  P  sees  X,  whether  or  not  P  believes  ( Q  said  X). 
This  expressiveness  was  added  in  GNY  [7],  and  to  some  extent  in  [1], 

More  importantly,  BAN  cannot  distinguish  between  those  message  that 
are  understood  by  a  recipient,  e.g.,  upon  decryption,  and  those  that  are  not. 
Which  is  not  to  say  that,  BAN  did  not  address  this  question.  It  was  simply 
explicitly  limited  to  describing  receipt  of  messages  that  could  be  understood. 
Notation  and  rules  to  represent  and  reason  with  recognizability  were  added  in 
[7],  and  a  systematic  semantic  treatment  of  comprehension  of  messages  was 
introduced  in  [17]. 

The  semantics  presented  in  this  paper  will  distinguish  between  whole  mes¬ 
sages  that  P  received  and  messages  that  may  be  contained  in  these  that 
P  got  .  We  will  see  below,  in  section  4.3.1,  that  these  have  a  more  exten- 
sional  meaning  than  the  recognizable  messages  of  GNY  or  the  comprehended 
messages  of  SVO.  We  will  leave  for  future  work  discussion  of  those  messages 
that  P  simply  possesses. 

Jurisdiction 

One  needs  a  way  to  promote  a  claim  by  a  key  server  that  K  is  good  for 
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P  and  Q  to  speak  (P  <H>  Q)  to  the  truth  of  this  claim.  This  is  the  notion 
of  jurisdiction.  In  BAN,  one  could  express  that  if  P  believes  Q  controls  p> 
and  P  believes  Q  said  p),  then  P  believes  Q  believes  p>.  In  AT,  with  its  says 
construct,  jurisdiction  can  be  boiled  down  to  its  essentials:  if  Q  controls  ip  and 
Q  says  <p,  then  <p.  Belief  is  not  necessary  to  express  jurisdiction.  In  general, 
AT  separated  out  the  belief  axioms  from  the  other  axioms,  allowing  a  normal 
modal  logic  of  belief  and  a  model-theoretic  possible  world  semantics  for  it. 
Keys 

BAN  is  expressive  enough  to  reason  about  both  public-key  and  secret-key 
authentication  protocols.  As  noted,  ability  to  directly  express  possession  of 
keys,  and  reason  accordingly  was  added  in  GNY  and  AT.  In  VO  [12],  the 
ability  to  reason  about  Diffie-Hellman  key  agreement  was  added  to  a  version 
of  GNY.  Also  added  was  the  differentiation  of  public  key  use  for  signature  and 
encryption.  A  semantics  for  all  of  these  was  given  in  [17].  For  the  remainder 
of  this  paper,  we  will  limit  ourselves  to  secret-key  expressions  for  simplicity. 
We  will  also  not  talk  about  other  cryptographic  constructs,  such  as  hashes. 
These  are  all  left  for  future  work. 

This  concludes  our  nutshell  exposition  of  the  main  concepts  formalized  in 
BAN-style  languages.  It  does  not  nearly  address  all  of  the  issues  that  were 
engendered  by  BAN,  nor  all  of  the  authors  that  discussed  them.  However, 
it  does  cover  all  of  the  main  concepts  formalized  in  BAN.  So,  it  is  adequate 
for  purposes  of  a  first  attempt  to  sketch  a  strand  semantics  for  a  BAN-style 
language.  We  now  turn  to  the  presentation  of  the  necessary  background  on 
strand  spaces. 

3  Strand  Spaces 

In  this  section,  we  sketch  out  some  of  the  basic  elements  of  strand  spaces.  We 
also  discuss  some  small  extensions  to  make  the  model  richer  and  to  allow  it 
to  serve  as  a  semantics  for  a  richer  logic.  We  present  here  only  as  much  of  the 
model  as  is  needed  to  understand  its  use  as  a  semantics  in  the  next  section. 
Further  details  can  be  found  in  [19-22], 

A  strand  is  basically  a  local  history  of  sent  and  received  messages  in  a 
protocol  run.  A  strand  space  is  a  collection  of  strands.  A  bundle  is  a  graph  that 
reflects  a  causally  meaningful  way  that  a  set  of  strands  might  be  connected. 

The  messages  sent  between  principals  are  taken  from  an  algebra  A  of  terms. 
We  will  say  more  about  the  algebra  presently.  Terms  can  be  signed,  e.g.,  +t 
or  —t,  to  indicate  sending  and  receiving  of  messages  respectively.  Let  S  be 
a  set  of  strands  and  (±A)*  be  the  set  of  all  finite  sequences  of  signed  terms. 
The  following  definitions  are  taken  from  [22], 

Definition  3.1  A  strand  space  over  A  is  a  set  S  together  with  a  trace  mapping 
tr  :  S  ->■  (±A)*. 

Definition  3.2  Fix  a  strand  space  S 
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(i)  A  node  is  a  pair  (s,i),  with  s  G  E  and  i  an  integer  satisying  1  <  i  < 
length(tr(s)) .  The  set  of  nodes  is  denoted  by  M.  We  will  say  the  node 
(s,  i)  belongs  to  the  strand  s.  Clearly,  every  node  belongs  to  a  unique 
strand. 

(ii)  If  n  =  (s,  i)  G  A"  then  index(n)  =  i  and  strand(n)  =  s.  Define  term(n)  to 
be  {tr(s))ri,  i.e.  the  ith  signed  term  in  the  trace  of  s.  Similarly,  unsDerm(n) 
is  ((Ms))j) 2?  te.  the  unsigned  part  of  the  ith  signed  term  in  the  trace  of 

s. 

(iii)  There  is  an  edge  n\  — >■  n2  if  and  only  if  term(ni)  =  +a  and  term(n2 )  = 
—a  for  some  a  G  A.  Intuitively,  the  edge  means  that  node  n\  sends 
the  message  a,  which  is  received  by  n2,  recording  a  potential  causal  link 
betiueen  those  strands. 

(iv)  When  n\  =  (s,  i)  and  n2  =  ( s ,  i  +  1)  are  members  of  M,  there  is  an  edge 
n\  =>  n2.  Intuitively,  the  edge  expresses  that  n\  is  an  immediate  causal 
predecessor  of  n2  on  the  strand  s.  We  write  n'  =W  n  to  mean  that  n' 
precedes  n  (not  necessarily  immediately)  on  the  same  strand. 

M  together  with  both  sets  of  edges  n\  — >■  n2  and  n\  =>■  n2  is  a  directed 
graph  (fif,  U  =>)). 

Definition  3.3  Suppose  — ^  — >■;  suppose  =>c  C  =>;  and  suppose  C  = 
(J\fc.  (—>c  U  =>c))  is  a  subgraph  of  (A f,  (— >■  U  =>)).  C  is  a  bundle  if: 

(i)  C  is  finite. 

(ii)  If  n2  G  Ac  and  term(n2)  is  negative,  then  there  is  a  unic|ue  n\  such  that 
n>i  ~^c  n2- 

(iii)  If  n2  G  Ac  and  n\  =>  n2  then  ni  =>c  n2- 

(iv)  C  is  acyclic. 

Definition  3.4  If  S  is  a  set  of  edges,  i.e.  S  C  (— >■  U  =>),  then  -<5  is  the 
transitive  closure  of  S,  and  ^5  is  the  reflexive,  transitive  closure  of  S. 

The  relations  -<s  and  are  each  subsets  of  A rs  x  A 5,  where  Ms  is  the 
set  of  nodes  incident  with  any  edge  in  S. 

These  are  all  of  the  definitions  that  we  need  to  set  out  a  possible  worlds 
model  and  semantics  for  sending,  receiving,  and  knowledge.  We  will  provide 
below  more  details  about  the  term  algebra  that  will  allow  us  to  express,  e.g., 
that  a  principal  who  receives  a  ciphertext  (encrypted  message)  and  has  the 
decryption  key  has  also  got  the  unencrypted  message. 

4  Possible  worlds  from  Strand  Spaces 

We  now  describe  the  possible  world  semantics  of  epistemic  logics  for  dis¬ 
tributed  computing  in  general  and  for  security  protocols  in  particular,  e.g., 
[1.17], 
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4-1  Traditional  System  Model  and  Knowledge  Semantics 

Computation  is  performed  by  a  finite  set  of  principals,  Pi, . . .  ,  Pn,  who  send 
messages  to  one  another.  In  addition  there  is  a  principal  Pe  representing 
the  environment.  This  allows  modeling  of  any  penetrator  actions  as  well  as 
reflecting  messages  in  transit. 

Each  principal  P,  has  a  local  state  sfa  A  global  state  is  thus  an  (n  +  l)-tuple 
of  local  states. 

A  run  is  a  sequence  of  global  states  indexed  by  integral  times.  The  first 
state  of  a  given  run  r  is  assigned  a  time  tr  <  0.  The  initial  state  of  the  current 
authentication  is  at  t  =  0.  The  global  state  at  time  t  in  run  r  determines 
a  possible  world  (sometimes  also  called  nodes  or  points).  We  assume  that 
global  states  are  unique  wrt  runs  and  times.  Thus,  they  can  be  referred  to 
by,  e.g.,  ‘(r, t)\  At  any  given  global  state,  various  things  will  be  true,  e.g., 
that  principal  Q  has  previously  sent  the  message  { A' }  K .  What  a  principal 
P  then  knows  (believes)  at  a  given  point  (r,  t.)  is  precisely  that  which  is  true 
at  all  possible  worlds  with  the  same  local  state  rP(t)  for  P  as  (r,  t).  This  is 
typically  captured  by  means  of  an  accessibility  relation  on  global  states  ^ p 
for  a  principal  P.  As  noted  in  section  1.1,  when  the  relation  is  an  equivalence, 
it  is  also  called  an  indistinguishability  relation  for  a  principal  P.  This 
allows  for  a  simple  intuitive  definition,  without  even  having  to  describe  in  any 
way  properties  of  local  states,  viz: 

•  (r, t)  (r'J')  iff  P  is  in  the  same  local  state  at  both  points,  i.e. ,  rP(t )  = 
r'P{t'). 

(Aside:  When  the  relation  is  not  an  equivalence,  we  typically  need  to 
sav  something  about  properties  of  the  local  state  to  describe  the  relation, 
although  not  necessarily  much.  For  example,  if  we  have  some  meaningful 
notion  of  substate,  one  possibility  is 

•  (r,  t)  ^>P  ( r'J. ')  iff  r'P(t')  is  a  substate  of  rP(t) 

The  accessibility  relation  we  will  set  out  below  is  an  equivalence,  and  we 
will  say  no  more  about  this.) 

Given  an  indistinguishability  relation,  we  can  then  go  on  to  define  principal 
P’s  knowledge  in  terms  of  the  worlds  that  are  P-indistinguishable. 

•  (r,  t)  \=  P  knows  ip  iff  ( r’,t ')  |=  for  all  (r'J')  such  that  (rj)  ~ P  (r'J.') 

(Aside:  We  have  sketched  out  a  semantics  for  knowledge,  specifically  S5 
knowledge,  for  a  distributed  system.  The  modality  for  most  of  the  logics  in 
the  BAN  family  is  in  fact  belief.  The  reasons  for  and  significance  of  choosing 
one  or  the  other  have  been  discussed  elsewhere,  e.g.  [1,14],  and  we  will  say  no 
more  about  the  matter  here.) 

The  above  system  model  and  characterization  of  knowledge  is  essentially 
what  is  found  in  [1,17].  It  is  largely  based  on  similar  models  and  characteri¬ 
zations  of  knowledge  in  distributed  computing.  (Cf.,  e.g.,  [6].)  We  now  turn 
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specifically  to  strand  spaces  as  a  basis  for  knowledge  semantics. 

4-2  Strand  Semantics  for  Knowledge 

In  the  conclusion  of  [19]  it  was  suggested  that,  “[w]hat  a  protocol  participant 
knows,  in  virtue  of  his  experience  in  executing  a  protocol,  is  that  he  has 
performed  the  actions  lying  on  some  strand  s.  Thus,  the  real  world  must 
include  some  bundle  C  such  that  s  is  contained  in  C.  The  beliefs  that  the 
participant  may  justifiably  hold  are  those  that  are  true  in  every  bundle  C 
containing  s.” 

Thus,  a  possible  world  on  this  approach  is  simply  a  bundle.  This  is  a 
reasonable  approach  for  reasoning  about  some  protocol  features.  However, 
we  found  it  also  worthwhile  to  include  in  the  definition  of  possible  worlds  the 
nodes  within  bundles.  We  did  this  in  order  to  capture  temporal  aspects  of  the 
above  authentication  logics,  specifically  freshness.  (This  will  also  facilitate  the 
addition  of  richer  temporal  formulae  to  the  logic,  as  in  [15].) 

Neither  strand  spaces  nor  bundles  have  a  notion  of  global  time.  Thus  we 
cannot  have  an  indistinguishability  relation  that  corresponds  directly  to  the 
above.  However,  (C,  s,  i)  picks  a  unique  point  (s,  i)  in  bundle  C  and  partitions 
J\fc  into  {{tj)  :  (t,j)  M  (s,*)}  and  {{t,j)  :  (t,j)  M  (s,*)}.  This  partition 
allows  us  to  define  an  accessibility  relation  on  nodes  in  bundles  based  on  local 
time. 

Definition  4.1  (i)  Given  a  strand  s,  let  princ(s)  refer  to  the  principal  whose 

strand  s  is. 

(ii)  Given  a  node  (.§,  i)  and  a  strand  t  in  a  bundle  C,  let  the  restriction  of 
t  to  (s,i)  in  C  be  tr(£)  [  (.§,  /)  =  (tr(t)1, . . .  ,  tr (t)j),  where  (t,j)  is  the 
greatest  node  on  t  s.t.  {t,j)  c  (s,i)- 

With  this  notation  in  place  we  can  now  define  an  indistinguishability  re¬ 
lation. 

Assume  bundles  C.  C .  and  strands  s,  s',  and  indices  i,i'  such  that  (s,  i)  G 
Me  and,  (s\  i')  G  Me-  A  natural  definition,  analogous  to  the  runs-and-times 
definition  of  the  traditional  literature  would  be  to  have  (C,  s,  i)  (C\  s\  i') 
(i.e. ,  (C,s,i)  is  P -indistinguishable  from  (C',s',i'))  just  in  case  P’s  history  in 
C  up  to  (s,  ?)  matches  P’s  history  in  C  up  to  ( s',i ').  This  is  exactly  right. 
However,  just  as  there  is  no  global  time  in  a  bundle,  there  may  also  be  multiple 
strands  associated  with  one  principal.  The  resulting  definition  is  thus: 

Definition  4.2  (C,  s,  i)  is  P -indistinguishable  from  (Cr,  s' ,  i') 

(written  as  (C,  s,  i)  (C\s',i'))  iff 

(i)  for  any  t  in  C  s.t.  princ(t)  =  P  there  exists  t!  in  C  s.t.  tr(£)  [  (s,  i)  = 
tr (t')  \  ( s',i ')  and  princ(f/)  =  P,  and 

(ii)  the  number  of  strands  satisfying  clause  i  is  the  same  in  C  and  C . 
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4-3  Truth  Conditions  for  BAN- Style  Formulae 

The  purpose  of  this  section,  is  to  present  truth  conditions  for  basic  formulae  of 
a  BAN-style  language.  The  basic  notions  we  cover  are  freshness,  key  goodness, 
said  and  received  (got)  messages,  and  jurisdiction. 

Given  our  definition  of  above  we  can  now  present  truth  conditions  for 
knowledge  in  this  semantics.  Let  ip  be  some  formula  in  our  language.  We 
will  define  |=  inductively;  however  the  presentation  is  organized  pedagogically 
rather  than  to  respect  the  inductive  construction.  We  assume  the  usual  truth 
conditions  for  logical  connectives;  although  we  will  not  discuss  compound 
formulae  in  this  paper. 


{C,  s,  i)  |=  P  knows  p 

iff  (C,  s' ,  i')  \=  p  at  all  (C1 ,  s',  i ')  s.t.  ( C ,  s,  i)  (C',  s' ,  i!) 

This  definition  gives  a  strand  semantics  for  knowledge  in  a  distributed 
environment.  However,  we  have  not  described  what  specific  types  of  things 
p  might  express.  We  can  give  semantics  for  formulae  expressing  the  sending 
and  receiving  of  messages  without  giving  any  more  details  about  the  model. 
But,  before  we  do,  we  discuss  the  difference  between  the  above  knowledge 
semantics  and  some  of  those  that  have  preceded  it. 

4-3.1  Discussion:  What  you  see  is  what  you  get? 

One  of  the  especially  tricky  features  of  AT  and  SVO  is  how  to  represent  the 
receipt  of  messages  by  a  principal  that  were  not  understood,  or  worse,  partially 
understood.  The  above  semantics  opts  for  simplicity  in  its  respect  of  subtle 
epistemic  intuitions. 

To  illustrate,  if  P  receives  {  { A" }  K.2  { F  }  K?> }  Kl  and  P  has  the  keys  K\  and 
K‘2  but  not  K] .  we  may  or  may  not  not  want  to  say  that  P  knows  that  he 
has  received  { { A' }  K.,  { 1' }  }  /<-, .  Both  AT  and  S\rO  adopt  some  notation  to 

indicate  those  messages  not  recognized  by  P ,  essentially  replacing  { Y }  K?  in 
this  message  with  a  placeholder  for  not-understood  messages,  i.e. ,  those  that 
cannot  ultimately  be  tied  back  to  plaintext.  (S\rO  further  differentiates  spe¬ 
cific  not-understood  messages  so  that,  e.g.,  the  same  not-understood  message 
can  be  recognized  if  seen  again.) 

This  is  summed  up  in  SYO  by  the  comprehension  axiom  that  basically  says 
that  if  P  believes  he  sees  F(X),  then  he  believes  he  sees  X.  1 F'  here  is  meta- 
notation  for  any  effectively  one-one  function  such  that  either  it  or  its  inverse 
is  computable  in  practice  by  P.  This  includes  encryption  and  decryption  with 
the  relevant  key  treated  as  a  parameter.  The  intuition  behind  this  is  that 
when  P  believes  P  received  a  message  (as  opposed  to  just  receiving  it)  then 
P  must  understand  what  the  message  says,  i.e.,  its  structure. 

The  semantics  we  have  described  above  does  not  respect  this  intuition. 
However,  it  respects  another,  somewhat  contrary  intuition,  namely  that  P 
believes  he  received  this  message  (whatever  it  is).  The  difference  between 
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these  two  intuitions  can  be  illustrated  by  means  of  the  coin-flip  example  of 
section  1.1.  If  Alice  sends  to  Bob  { Heads } K .  then  as  long  as  Bob  lacks  it, 
he  doesn’t  know  that  he  has  received  { Heads }  k ■  In  SVO  and  AT,  this  is 
represented  by  replacing  {Heads} k  with  a  placeholder. 

On  the  understanding  implied  by  the  semantics  above,  a  placeholder  is 
not  necessary.  Bob  knows  he  got  {Heads]K.  He  just  doesn’t  know  what  that 
means.  In  particular  he  doesn’t  know  therefore  that  he  was  sent  Heads  as 
opposed  to  Tails ,  or  for  that  matter  that  this  is  an  encrypted  message  as 
opposed  to  a  random  string.  If  on  the  other  hand  K  were  to  be  placed  in 
Bob’s  key  set  at  some  point,  at  that  point  he  would  know  that  he  got  Heads , 
by  the  above  truth  conditions  for  got  formulae.  To  some  extent  this  intuition 
is  captured  in  SVO  by  means  of  its  distinct  not-understood-message  markers, 
but  it  still  assumes  that  a  principal  understands  all  the  structure  in  a  message 
about  which  he  has  a  belief.  The  above  semantics  may  not  capture  the  same 
epistemic  subtleties  as  SVO,  but  it  has  a  greater  simplicity  in  this  respect  as 
well  as  a  natural  fit  with  the  existing  strand  space  constructs.  We  now  return 
to  the  presentation  of  truth  conditions. 


Let  M  be  an  arbitrary  message  from  our  term  algebra  A. 


(C,  s,  i)  \=  P  sent  M 

iff  there  is  a  node  (t,j)  in  C  s.t.  (i)  princ(t)  =  P,  (ii)  (£,  j)  A  (.§,  /),  and  (iii) 
term  {(t,j))  =  +M 

{C,  s,  i)  |=  P  received  M 

iff  there  is  a  node  {t,j)  in  C  s.t.  (i)  princ(t)  =  P,  (ii)  {t,j)  A  (s,  /),  and  (iii) 
term  {(t,j))  =  —M 

To  give  the  truth  conditions  for  other  formulae,  we  must  first  spell  out 
some  of  the  structure  of  the  term  algebra  and  define  a  notion  of  submessage. 
The  following  definitions  are  taken  from  [22]  and  can  also  be  found  in  the 
preceding  strand  space  papers. 

Assume  the  following: 

•  A  set  T  C  A  of  texts  (representing  the  atomic  messages). 

•  A  set  K  C  A  of  cryptographic  keys  disjoint  from  T,  equipped  with  a  unary 
operator  inv  :  K  — >■  K. 

inv  is  injective;  i.e. ,  that  it  maps  each  member  of  a  key  pair  for  an  asym¬ 
metric  cryptosystem  to  the  other;  and  that  it  maps  a  symmetric  key  to 
itself. 
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•  Two  binary  operators 


encr  :Kx  A-)A 
join  :  AxA-yA 

We  will  follow  notational  conventions,  some  of  which  have  already  been  men¬ 
tioned,  and  write  inv(iv)  as  K~1i  encr  (K,M)  as  { M }  K .  and  join  (a,  5)  as  ab. 
If  k  is  a  set  of  keys,  k_1  denotes  the  set  of  inverses  of  elements  of  k. 

The  next  assumption  we  make  is  that  A  is  the  algebra  freely  generated 
from  T  and  K  by  the  two  operators  encr  and  join.  As  noted  in  [22],  this 
assumption  has  been  commonly  made  in  this  area  of  research  going  back  to 
[5].  As  in  [22]  it  is  probably  stronger  than  what  we  ultimately  need  but  is 
pedagogicallv  convenient.  Amongst  other  things,  it  implies  that  encryptions 
and  concatenations  are  unique  and  always  distinct  from  each  other  and  from 
T  and  K. 

Central  to  the  semantics  of  said  formulae  is  the  concept  of  an  ideal.  In¬ 
terestingly,  in  the  strand  space  papers,  it  was  introduced  to  formulate  general 
facts  about  the  penetrator’s  capabilities;  while  in  this  paper,  we  will  say  vir¬ 
tually  nothing  about  the  nature  of  the  penetrator. 

Definition  4.3  If  k  Cl  ct  k-id6cd  of  A  is  a  subset  I  of  A  such  that  for  all 
ft  6  /,  j  6  A  and  K  E  k 

(i)  hg,gh£l. 

(ii)  { h } K  £  I. 

The  smallest  k-ideal  containing  h  is  denoted  h[h\. 

The  notion  of  ideal  can  be  used  to  define  a  subterm  relation  □  as  follows 

[21]- 

Definition  4.4  Let  k  C  K.  s  £  A  is  a  k -subterm  oft  £  A,  ( s  Ck  f)  iff  t  £  ik[s]. 

If  k  =  K  in  this  definition,  then  we  say  simply  that  s  is  a  subterm  oft ,  and 
write  set. 

We  now  give  truth  conditions  for  said  formulae 

(C,  s,  i)  |=  P  said  M 

iff  there  is  a  message  M'  s.t.  (C,  s,  i)  \=  P  sent  M'  and  M  Ck  M'  where  k  is 
the  set  of  keys  possessed  by  P  at  (s,  i). 

Notice  that  P  is  held  accountable,  e.g.,  for  saying  M  at  n,  if  he  sends 
{ M }  K  at  n'  ■<  n  and  he  has  K  at  n,  even  if  K  was  not  in  his  key  set  until 
some  n"  s.t.  n'  -<  n"  <  n. 

A  definition  that  does  not  occur  in  any  of  the  strand  space  papers  is  that 
of  a  filter.  In  many  contexts,  filters  are  the  duals  of  ideals.  In  our  case, 
they  are  useful  for  giving  semantics  to  got  formulae,  those  that  express  the 
understood  messages  contained  in  received  messages. 
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Definition  4.5  If  k  £  K,  a  k_ filter  of  A  is  a  subset  F  of  A  such  1 1 1  <  it  for  nil 
h,g  £  A  and  K  £  k 

(i)  hg  £  F  implies  h  £  F  and  g  £  F 

(ii)  { h } K  £  F  implies  h  £  F  for  A'-1  £  k 

The  smallest  k- filter  containing  h  is  denoted  Fk  [h] . 

In  general,  the  relation  between  filters  and  ideals  is  not  so  simple  because, 
in  public-key  cryptography,  one  may  have  K  and  not  have  A'-1,  or  vice  versa. 
However,  in  this  paper  we  are  limiting  ourselves  to  the  symmetric  key  case, 
K  =  A'-1.  In  this  case  there  is  a  simple  relation.  (This  relation  also  holds 
when  both  cognates  of  a  public/private  key  pair  are  known.)  It  is  easy  to 
show  that 

Proposition  4.6  For  all  sets  of  keys  k'  of  the  form  k  U  k_1 

g  £  Fw[h]  iff  h  £  Iw[g\. 

Thus,  for  key  sets  k'  of  this  form,  by  definition  4.4,  s  IZk'  t  iff  s  £  Fkft]. 
We  can  now  give  the  truth  conditions  for  got  formulae.  (We  present  them 
for  the  general  case.) 


(C,  s,  i)  \=  P  got  M 

iff  there  is  a  message  M'  s.t.  (C,  s,  i)  |=  P  received  M'  and  M  £  Fk[M']  where 
k  is  the  set  of  keys  possessed  by  P  at  ( s ,  i ). 

We  can  use  the  truth  conditions  for  said  and  got  formulae  to  further 
give  the  truth  conditions  for  key  goodness. 

(c,  s,  i)  h  p  &  Q 

iff,  for  all  (s',  i')  £  Ac,  (C,  s',  i')  |=  R  said  {M  from  Q}k  implies  either 
(C,  s',  i')  |=  R  received  {M  from  Q}k,  or  R  =  Q  and  ( C ,  s',  i')  |=  R  said  M. 

If  (C,  s',  i')  |=  R  said  {M}k 

(instead  of  the  stronger  ( C ,  s',  i')  |=  R  said  {M  from  Q}k),  then  R  £  { P ,  Q} 
(instead  of  the  stronger  R  =  P). 

Note  that  these  are  the  truth  conditions  from  [17]  with  ( C,s,i )  replacing 
(r,t)  and  ( C,s',  i ')  replacing  (r,  t')  throughout.  This  was  itself  based  on  the 
truth  conditions  for  goodness  given  in  [1], 

Once  we  have  a  mechanism  to  express  the  beginning  of  the  current  epoch, 
we  will  be  able  to  similarly  dispatch  the  freshness  and  jurisdiction  formulae. 
In  order  to  do  that,  we  must  again  confront  the  absence  of  a  global  concept  of 
time.  In  the  system  models  for  possible  world  semantics  of  BAN-like  logics, 
it  was  trivial  to  stipulate  a  global  time  A  and  then  define  something  as  fresh 
if  it  was  not  said  (by  anyone)  prior  to  to-  We  instead  define  a  concept  now  as 
follows. 


12 


Syverson 


Definition  4.7  For  any  bundle  C,  nowc  C  J\fc.  is  a  nonempty  set  of  incom¬ 
parable  nodes  (i.e.,  a  nonempty  set  of  nodes  s.t.  n,n'  G  nowc  implies  n  ^  n' 
and  n'  ^  n).  For  n  G  Ac,  we  may  write  ‘now^  A  A  just  in  case  there  exists 
n'  G  nowc  s.t.  n'  -<  n.  When  it  is  clear  from  context  which  bundle  is  relevant, 
we  will  write  simply  ‘now’. 

Thus, 


(C,s,i)  1 =  fresh(M) 

iff  for  all  principals  P,  ( C ,  s',  i ')  \=  P  said  M  implies  now  A  (s',  i'). 

The  truth  conditions  for  jurisdiction  assume  truth  conditions  for  says 
formulae,  which  the  definition  of  now^  allows  us  to  formulate. 

(C,  s,  i)  |=  P  says  M 

iff  there  is  a  message  M'  and  a  node  (t.,j)  in  C  s.t.  (i)  princ(t)  =  P,  (ii) 
now  ■<  (t,j)  ■<  ( s,i ),  (iii)  term ((t,j))  =  +M',  and  (iv)  M  IZk  M'  where  k  is 
the  key  set  possessed  by  P  at  (s,  i). 

If  up  is  a  formula. 


(C,  s,  i)  |=  P  controls  ip 

iff  (C,  s,  i)  \=  P  says  ip  implies  (C,  s',  i')  |=  p>  for  any  (s',  i ')  s.t.  now  ^  (s',  i'). 

These  conditions  are  similar  to  those  in  [1]  and  [17],  mutatis  mutandis. 
Notice  that  goodness  is  a  condition  that  is  constant  across  all  points  in  the 
same  bundle.  And,  jurisdiction  and  freshness  are  constant  across  all  points 
in  the  present  epoch.  Notice  also  that  jurisdiction  is  restricted  to  those  mes¬ 
sages  that  are  formulae,  rather  than  messages  in  general.  This  completes  our 
presentation  of  truth  conditions. 

5  Conclusion 

In  this  paper,  we  have  set  out  a  strand  semantics  for  a  BAN-style  language.  In 
the  future  we  intend  to  set  out  an  axiomatization  that  is  sound  with  respect 
to  this  semantics.  We  also  intend  to  connect  this  work  with  other  approaches. 
The  strand  papers  have  already  noted  a  connection  to  Paulson’s  inductive 
approach  [13].  And,  Meadows  has  observed  connections  between  Paulson’s 
inductive  approach,  ideals  in  strand  spaces,  and  the  construction  of  languages 
as  used  to  prune  an  infinite  search  space  down  to  manageable  size  in  her  NRL 
Protocol  Analyzer  2  .  In  [9] ,  an  attempt  was  made  to  compare  the  computation 
model  of  AT  with  that  of  the  NRL  Protocol  Analyzer  (NPA).  A  number  of 
open  problems  were  described  that  needed  to  be  resolved  if  they  were  to  be 
ultimately  integrated.  In  [18],  a  somewhat  more  optimistic  comparison  was 
made  between  the  models  underlying  NPA  and  SYO.  Given  all  of  the  above,  it 
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seems  likely  that  strand  spaces  may  provide  the  ultimate  tie  that  binds  BAN- 
style  approaches  to  NPA.  In  addition  to  providing  theoretical  insight  into  the 
area,  it  is  to  be  hoped  that  this  will  enable  combining  of  the  complementary 
applied  advantages  of  each. 
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